Use the X-Forwarded-For Header, Luke: Joomla RCE CVE-2015-8562

Posted on December 17th, 2015

Summary:

A recent vulnerability in Joomla (CVE-2015-8562) has been patched after reports of exploitation occurring in the wild impacting all versions from 1.5.0 to 3.4.5. A new version of Joomla (3.4.6) has been released in response, as well as hotfixes for backdated versions of the software (1.5.x and 2.5.x). Initial reports by Sucuri, of the exploit began occurring mid-day on 12 December from several different originating attackers (74.3.170.33, 146.0.72.83, and 194.28.174.106). It appears that there is a mass effort toward enumerating and exploiting this vulnerability on any public Joomla server that is accessible.

The current understanding of the vulnerability is that attacks occur using object injection in the HTTP user-agent, leading to full remote command execution with the privileges of the application. Additional testing revealed that the ‘x-forwarded-for’ header is also vulnerable, with the added benefit of no information being logged to the access.log file of the web server by default.

Shortly after the release of the aforementioned Sucuri article, several exploit POC examples began popping up. The initial release occurred on a public Chinese forum, with later posts (and more easily usable/functional attack strings) appearing on exploit-db.com and pastebin.com.

Exploitation:

The original PoC was located on pastebin, and later uploaded to exploit-db. This PoC allows for simple blind RCE on a vulnerable Joomla application. BreakPoint Labs modified the original PoC to automate the process of establishing a reverse shell on the victim system, or execute commands dynamically.

Below is an example of spawning a shell on a remote system by specifying a LHOST with switch “-l” and a LPORT with switch “-p”:
You can also utilize a shell-like environment to dynamically interact with the blind RCE. Below is an example of pulling over and executing a custom backdoor using switch “–cmd” and a Python HTTP Server:Detection:

Detecting this vulnerability can be difficult because a lot of the advice online has been to search your web logs for the presence of the attack strings. By default Apache does not log the “X-Forwarded-For” header, so the attacks demonstrated in this blog post do not show up in your logs:

$ cat access.log | egrep "(JDatabaseDriverMysqli|O:)"
$

BreakPoint Labs developed a Dshell module to aid defenders in detecting exploitation attempts and will catch both “User-Agent” and “X-Forwarded-For” header fields and print out the commands used: